? lib/obj ? scp/obj ? sftp/obj ? sftp-server/obj ? ssh/obj ? ssh-add/obj ? ssh-agent/obj ? ssh-keygen/obj ? ssh-keyscan/obj ? ssh-keysign/obj ? ssh-pkcs11-helper/obj ? sshd/obj Index: clientloop.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v retrieving revision 1.284 diff -u -p -r1.284 clientloop.c --- clientloop.c 8 Feb 2016 10:57:07 -0000 1.284 +++ clientloop.c 25 Feb 2016 05:35:28 -0000 @@ -1497,6 +1497,7 @@ client_loop(int have_pty, int escape_cha debug("Entering interactive session."); +#if 0 if (options.control_master && ! option_clear_or_none(options.control_path)) { debug("pledge: id"); @@ -1526,7 +1527,7 @@ client_loop(int have_pty, int escape_cha if (pledge("stdio unix inet dns tty", NULL) == -1) fatal("%s pledge(): %s", __func__, strerror(errno)); } - +#endif start_time = get_current_time(); /* Initialize variables. */ Index: mux.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/mux.c,v retrieving revision 1.58 diff -u -p -r1.58 mux.c --- mux.c 13 Jan 2016 23:04:47 -0000 1.58 +++ mux.c 25 Feb 2016 05:35:29 -0000 @@ -1872,8 +1872,10 @@ mux_client_request_session(int fd) } muxclient_request_id++; +#if 0 if (pledge("stdio proc tty", NULL) == -1) fatal("%s pledge(): %s", __func__, strerror(errno)); +#endif signal(SIGHUP, control_client_sighandler); signal(SIGINT, control_client_sighandler); @@ -1982,8 +1984,10 @@ mux_client_request_stdio_fwd(int fd) mm_send_fd(fd, STDOUT_FILENO) == -1) fatal("%s: send fds failed", __func__); +#if 0 if (pledge("stdio proc tty", NULL) == -1) fatal("%s pledge(): %s", __func__, strerror(errno)); +#endif debug3("%s: stdio forward request sent", __func__); Index: scp.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/scp.c,v retrieving revision 1.184 diff -u -p -r1.184 scp.c --- scp.c 27 Nov 2015 00:49:31 -0000 1.184 +++ scp.c 25 Feb 2016 05:35:30 -0000 @@ -463,6 +463,7 @@ main(int argc, char **argv) if (!isatty(STDOUT_FILENO)) showprogress = 0; +#if 0 if (pflag) { /* Cannot pledge: -p allows setuid/setgid files... */ } else { @@ -472,6 +473,7 @@ main(int argc, char **argv) exit(1); } } +#endif remin = STDIN_FILENO; remout = STDOUT_FILENO; Index: ssh-agent.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh-agent.c,v retrieving revision 1.212 diff -u -p -r1.212 ssh-agent.c --- ssh-agent.c 15 Feb 2016 09:47:49 -0000 1.212 +++ ssh-agent.c 25 Feb 2016 05:35:30 -0000 @@ -1385,8 +1385,10 @@ skip: signal(SIGTERM, cleanup_handler); nalloc = 0; +#if 0 if (pledge("stdio cpath unix id proc exec", NULL) == -1) fatal("%s: pledge: %s", __progname, strerror(errno)); +#endif while (1) { prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp); Index: ssh-keysign.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh-keysign.c,v retrieving revision 1.52 diff -u -p -r1.52 ssh-keysign.c --- ssh-keysign.c 15 Feb 2016 09:47:49 -0000 1.52 +++ ssh-keysign.c 25 Feb 2016 05:35:30 -0000 @@ -170,8 +170,10 @@ main(int argc, char **argv) size_t slen, dlen; ssh_malloc_init(); /* must be called before any mallocs */ +#if 0 if (pledge("stdio rpath getpw dns id", NULL) != 0) fatal("%s: pledge: %s", __progname, strerror(errno)); +#endif /* Ensure that stdin and stdout are connected */ if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2) @@ -233,8 +235,10 @@ main(int argc, char **argv) if (!found) fatal("no hostkey found"); +#if 0 if (pledge("stdio dns", NULL) != 0) fatal("%s: pledge: %s", __progname, strerror(errno)); +#endif if ((b = sshbuf_new()) == NULL) fatal("%s: sshbuf_new failed", __progname); Index: sshd/Makefile =================================================================== RCS file: /cvs/src/usr.bin/ssh/sshd/Makefile,v retrieving revision 1.88 diff -u -p -r1.88 Makefile --- sshd/Makefile 14 Jan 2016 16:17:40 -0000 1.88 +++ sshd/Makefile 25 Feb 2016 05:35:30 -0000 @@ -17,7 +17,7 @@ SRCS= sshd.c auth-rhosts.c auth-passwd.c auth2-none.c auth2-passwd.c auth2-pubkey.c \ monitor_mm.c monitor.c monitor_wrap.c \ sftp-server.c sftp-common.c \ - sandbox-pledge.c + sandbox-systrace.c .if (${SSH1:L} == "yes") SRCS+= auth-rsa.c auth-rh-rsa.c auth1.c